Hello David, Tuesday, January 22, 2008, 12:43:09 PM, you wrote:
> Hi, > I think I must have missing something or been asleep. I've had a look at the > Sniffer site and to be honest I don't fully understand what GBUdb is. I've > read the technical details page but I don't see how it fits into the whole > scheme of things, if it's useful to me, and if it is, how to implement it. I > understand what it's trying to acheive but I can't see beyond that. Think of GBUdb as an enhancement to the SNF scanning engine. GBUdb keeps track of where messages come from and whether those messages are spam or not. If they fail an SNF pattern rule then they are considered to be spam. If they do not fail an SNF pattern rule then the are not considered to be spam. When a new message comes from a source that GBUdb knows about then it SNF work better and faster. ________________ Reducing Leakage: If GBUdb knows that messages from a particular source are almost always spam then SNF will detect the message as spam even if there is no pattern rule yet. This helps reduce leakage. That is-- new spam from old bots will generally get killed by GBUdb. ________________________ Reducing False Positives: On the other side of things; if an SNF pattern rule tags a message that comes from a trusted source then GBUdb will make sure that the message gets through. This reduces false positives. _________________ GBUdb has Friends: One other thing that is important about GBUdb is that it doesn't work alone -- it has friends. All of the GBUdb systems on the 'net share what they know about message sources. This way when a spam bot starts to send messages to a new system that's never seen it before the other GBUdb systems can tell the new system that the message source (IP) is bad so it doesn't have to start learning that information all on it's own. _________________________ Faster and More Efficient: In addition to reducing leakage and false positives, GBUdb also makes message scanning go faster and take fewer resources. If GBUdb knows that a message source is very, very bad then it will cause SNF to stop scanning the message as soon as it sees the IP address that sent it. This is the truncate feature. The result is that between 15% and 50% of messages going through the SNF scanner will be handled almost instantaneously - without bothering to look at most of the message. Hope this helps, _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. ############################################################# This message is sent to you because you are subscribed to the mailing list <sniffer@sortmonster.com>. To unsubscribe, E-mail to: <[EMAIL PROTECTED]> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> Send administrative queries to <[EMAIL PROTECTED]>
